CS6456: Graduate Operating Systems Brad Campbell [email protected] https://www.cs.virginia.edu/~bjc8c/class/cs6456-f19/

CS6456: Graduate Operating Systems Brad Campbell  bradjc@virginia.edu https://www.cs.virginia.edu/~bjc8c/class/cs6456-f19/

CS6456: Graduate Operating Systems Brad Campbell [email protected] https://www.cs.virginia.edu/~bjc8c/class/cs6456-f19/ 1 2 Protection vs. Security Protection: mechanisms for controlling access of programs, processes, or users to resources Page table mechanism Round-robin schedule Data encryption Security: use of protection mechanisms to prevent misuse of resources Misuse defined with respect to policy E.g.: prevent exposure of certain sensitive information E.g.: prevent unauthorized modification/deletion of data Need to consider external environment the system operates in Most well-constructed system cannot protect information if user accidentally reveals password social engineering challenge 3

Security Requirements Authentication Ensures that a user is who is claiming to be Data integrity Ensure that data is not changed from source to destination or after being written on a storage device Confidentiality Ensures that data is read only by authorized users Non-repudiation Sender/client cant later claim didnt send/write data Receiver/server cant claim didnt receive/write data 4 Why are Data Breaches so Frequent? Really Large TCB SSL h SSL

Really Large TCB SSL h Full OS TCB State of the art: AdHoc boundary construction! Protection mechanisms are roll-your-own and different for each application Use of encrypted channels to tunnel across untrusted domains Data is typically protected at the Border rather than Inherently Large Trusted Computing Base (TCB): huge amount of code must be correct to protect data Make it through the border (firewall, OS, VM, container, etc) data compromised! What about data integrity and provenance? Any bits inserted into secure environment get trusted as authentic 5 Securing Communication: Cryptography Cryptography: communication in the presence of adversaries Studied for thousands of years See the Simon Singhs The Code Book for an excellent, highly readable history Central goal: confidentiality

How to encode information so that an adversary cant extract it, but a friend can General premise: there is a key, possession of which allows decoding, but without which decoding is infeasible Thus, key must be kept secret and not guessable 6 Using Symmetric Keys Same key for encryption and decryption Achieves confidentiality Vulnerable to tampering and replay attacks m Plaintext (m) Encrypt with secret key Internet Decrypt with secret key Ciphertext

7 Block Ciphers with Symmetric Keys Block cipher algorithms encrypt blocks of data Works with a block size (e.g., 64 bits) Can encrypt blocks separately: Same plaintextsame ciphertext Much better: Add in counter and/or link ciphertext of previous block 9 Authentication in Distributed Systems What if identity must be established across network? PASS: gina Network Need way to prevent exposure of information while still proving identity to remote system

Many of the original UNIX tools sent passwords over the wire in clear11text Authentication via Secret Key Main idea: entity proves identity by decrypting a secret encrypted with its own key K secret key shared only by A and B A can asks B to authenticate itself by decrypting a nonce, i.e., random value, x Avoid replay attacks (attacker impersonating client or server) Vulnerable to man-in-the middle attack A E(x, K B ) x Notation: E(m,k) encrypt message m with key k 12

Secure Hash Function Fox Hash Function DFCD3454BBEA788A 751A696C24D97009 CA992D17 The red fox runs across the ice Hash Function 52ED879E70F71D92 6EB6957008E03CE4 CA6945D3 Hash Function: Short summary of data (message) For instance, h1=H(M1) is the hash of message M1 h1 fixed length, despite size of message M1

Often, h1 is called the digest of M1 Hash function H is considered secure if It is infeasible to find M2 with h1=H(M2); i.e., cant easily find other message with same digest as given message It is infeasible to locate two messages, m1 and m2, which collide, i.e. for which H(m1) 13 = H(m2) Integrity: Cryptographic Hashes Basic building block for integrity: cryptographic hashing Associate hash with byte-stream, receiver verifies match Assures data hasnt been modified, either accidentally or maliciously Approach: Sender computes a secure digest of message m using H(x) H(x) is a publicly known hash function Digest d = HMAC (K, m) = H (K | H (K | m)) HMAC(K, m) is a hash-based message authentication function Send digest d and message m to receiver Upon receiving m and d, receiver uses shared secret key, K, to recompute HMAC(K, m) and see whether result agrees with d 14

Using Hashing for Integrity corrupted msg plaintext (m) m NO = Digest HMAC(K,m) Internet digest Digest HMAC(K,m) Encrypted Digest Unencrypted Message Can encrypt m for confidentiality 15

Standard Cryptographic Hash Functions MD5 (Message Digest version 5) Developed in 1991 (Rivest), produces 128 bit hashes Widely used (RFC 1321) Broken (1996-2008): attacks that find collisions SHA-1 (Secure Hash Algorithm) Developed in 1995 (NSA) as MD5 successor with 160 bit hashes Widely used (SSL/TLS, SSH, PGP, IPSEC) Broken in 2005, government use discontinued in 2010 SHA-2 (2001) Family of SHA-224, SHA-256, SHA-384, SHA-512 functions HMACs are secure even with older insecure hash functions 16 Key Distribution How do you get shared secret to both places? For instance: how do you send authenticated, secret mail to someone who you have never met? Must negotiate key over private channel Exchange code book/key cards/memory stick/others

Could use a third party 17 Third Party: Authentication Server (Kerberos) Notation: Kxy is key for talking between x and y ()K means encrypt message () with the key K Clients: A and B, Authentication server S q Re et k c Ti et k

c Ti Key Server Ticket Secure Communication Usage: A asks server for key: AS: [Hi! Id like a key for talking between A and B] Not encrypted. Others can find out if A and B are talking Server returns session key encrypted using Bs key SA: Message [ Use Kab (This is A! Use Kab)Ksb ] Ksa This allows A to know, S said use this key Whenever A wants to talk with B AB: Ticket [ This is A! Use Kab ]Ksb 18 Asymmetric Encryption (Public Key) Idea: use two different keys, one to encrypt (e) and one to decrypt (d) A key pair

Crucial property: knowing e does not give away d Therefore e can be public: everyone knows it! If Alice wants to send to Bob, she fetches Bobs public key (say from Bobs home page) and encrypts with it Alice cant decrypt what shes sending to Bob but then, neither can anyone else (except Bob) 20 Public Key Encryption Details Idea: Kpublic can be made public, keep Kprivate private Insecure Channel Bpublic Aprivate Alice Bprivate Apublic Insecure Channel Bob Gives message privacy (restricted receiver):

Public keys (secure destination points) can be acquired by anyone/used by anyone Only person with private key can decrypt message What about authentication? Use combination of private and public key AliceBob: [(Im Alice)Aprivate Rest of message]Bpublic Provides restricted sender and receiver But: how does Alice know that it was Bob who sent her Bpublic? And vice versa 22 Public Key Cryptography Invented in the 1970s Revolutionized cryptography (Was actually invented earlier by British intelligence) How can we construct an encryption/decryption algorithm using a key pair with the public/private properties? Answer: Number Theory Most fully developed approach: RSA Rivest / Shamir / Adleman, 1977; RFC 3447 Based on modular multiplication of very large integers Very widely used (e.g., ssh, SSL/TLS for https)

Also mature approach: Eliptic Curve Cryptography (ECC) Based on curves in a Galois-field space Shorter keys and signatures than RSA 23 Non-Repudiation: RSA Crypto & Signatures Suppose Alice has published public key KE If she wishes to prove who she is, she can send a message x encrypted with her private key KD (i.e., she sends E(x, KD)) Anyone knowing Alices public key KE can recover x, verify that Alice must have sent the message It provides a signature Alice cant deny it: non-repudiation I will pay Could simply encrypt a hash of the data to sign a document that you wanted to be in clear text Bob $500 Note that either of these signature techniques work perfectly well with any data (not just messages) Could sign every datum in a database, for instance I will pay

Bob $500 26 Digital Certificates How do you know KE is Alices public key? Trusted authority (e.g., Verisign) signs binding between Alice and KE with its private key KVprivate C = E({Alice, KE}, KVprivate) C: digital certificate Alice: distribute her digital certificate, C Anyone: use trusted authoritys KVpublic, to extract Alices public key from C D(C, KVpublic) = D(E({Alice, KE}, KVprivate), KVpublic) = {Alice, KE} 27 Putting It All Together - HTTPS What happens when you click on https://www.amazon.com? https = Use HTTP over TLS SSL = Secure Socket Layer TLS = Transport Layer Security Provides security layer (authentication, encryption) on top of TCP

Fairly transparent to applications 29 HTTPS Connection (SSL/TLS) (contd) Browser Browser (client) connects via TCP to Amazons HTTPS server Client sends over list of crypto protocols it supports Server picks protocols to use for this session Server sends over its certificate (all of this is in the clear) Amazon Hell o (TLS . I supp +RS o or A+A rt ES1

(SSL 28+S +RS HA2 A+3 ) DES +M D 5) o r se SHA Lets u A+AES128+ S TLS+R ert c y 2 m res He

30 Inside the Servers Certificate Name associated with cert (e.g., Amazon) Amazons RSA public key A bunch of auxiliary info (physical address, type of cert, expiration time) Name of certificates signatory (who signed it) A public-key signature of a hash (SHA-256) of all this Constructed using the signatorys private RSA key, i.e., Cert = E(HSHA256(KApublic, www.amazon.com, ), KSprivate)) KApublic: Amazons public key KSprivate: signatory (certificate authority) private key 31 Validating Amazons Identity How does the browser authenticate certificate signatory? Certificates of several certificate authorities (e.g., Verisign) are hardwired into the browser (or OS) If cant find cert, warn user that site has not been verified And may ask whether to continue Note, can still proceed, just without authentication

Browser uses public key in signatorys cert to decrypt signature Compares with its own SHA-256 hash of Amazons cert Assuming signature matches, now have high confidence its indeed Amazon assuming signatory is trustworthy DigiNotar CA breach (July-Sept 2011): Google, Yahoo!, Mozilla, Tor project, Wordpress, (531 total certificates) 32 HTTPS Connection (SSL/TLS) contd Browser Amazon Browser encrypts K using Amazons public key cert y m s Here f data

o B K ~1 E(K, K Apub ) lic Browser sends E(K, KApublic) to server d Agree Browser constructs a random session key K used for data communication Private key for bulk crypto Browser displays All subsequent comm. encrypted w/ symmetric cipher (e.g., AES128) using key K E.g., client can authenticate using a password K

E(pas sword K , K) onse p s e r ( E , K) 34 Hardware Security Definition: implement security protection mechanisms in hardware E.g., design trusted hardware, as opposed to (in addition to) trusted software

Software security: software protect software! Vulnerable to attacks Is the antivirus/hardware untouched? Easy infiltration Fast spread Hardware security: hardware protect software Attacks need physical access Software infiltration much more difficult 35 Trusted Platform Module (TPM) A chip integrated into the hardware platform It is a separate, trusted co-processor The TPM represents a separate trusted coprocessor, whose state cannot be compromised by potentially malicious host system software. IBM Research Report 36

Goals TPMs allow a system to: Gather and attest system state Store and generate cryptographic data Prove platform identity Prevents unauthorized software Helps prevent malware 37 TPM Components Root key PKI private keys could be stored in the chip PK signatures calculated in the chip itself, never visible outside Random number generators SHA-1 encryption Monotonic counters Process isolation (encrypted I/O, prevents keystroke loggers, screen scrapers) 38 Limitations Advanced features will require O/S support Potential for abuse by Software vendors

Co-processor or Cop-processor? Trusted Computing requires you to surrender control of your machine to the vendors of your hardware and software, thereby making the computer less trustworthy from the users perspective - Ross Anderson The TPM's most controversial feature is attestation, the ability to measure the state of a computer and send a signed message certifying that particular hardware or software is or isn't present. 39 Real-World Applications Hard drive encryption BitLocker in Windows 8 Trustworthy OS Googles Chromebook use TPM to prevent firmware rollback Potential applications: DRM Fighting pirate software 40 BitLocker Drive Encryption Architecture

Static Root of Trust Measurement of boot components PreOS Static OS All Boot Blobs unlocked Volume Blob of Target OS unlocked TPM Init BIOS MBR BootSector BootBlock BootManager OS Loader Start OS 42

Disk Layout And Key Storage OS Volume Contains Wheres the Encryption Key? Encrypted OS 1. SRK (Storage Root Key) contained in TPM Encrypted Page File 2. SRK encrypts FVEK (Full Volume Encryption Key) protected by TPM/PIN/USB Storage Device Encrypted Temp Files Encrypted Data 3. FVEK stored (encrypted by SRK) on hard drive in the OS Volume Encrypted Hibernation File 3 OS Volume

2 FVEK 1 SRK System System Volume Contains: MBR, Boot manager, Boot Utilities (Unencrypted, small) 43 Intel SGX: Goals Extension to Intel processors that support: Enclaves: running code and memory isolated from the rest of system Attestation: prove to local/remote system what code is running in enclave

Minimum TCB: only processor is trusted nothing else: DRAM and peripherals are untrusted all writes to memory are encrypted 45 Applications Server side: Storing a Web server HTTPS secret key: key only opened inside an enclave malware cannot get the key Running a private job in the cloud: job runs in enclave Cloud admin cannot get code or data of job Client side: Hide anti-virus (AV) signatures: AV signatures are only opened inside an enclave not exposed to adversary in the clear

Hide proprietary ML models: Speech detection on smart home devices Models secret and hidden from competitors 46 Intel SGX: how does it work? An application defines part of itself as an enclave Untrusted part Enclave create enclave (isolated memory) Process memory 47 Intel SGX: how does it work? An application defines part of itself as an enclave Untrusted part Enclave create enclave

enclave code runs using enclave data call TrustedFun 67g35bd954bt Process memory 48 Intel SGX: how does it work? An application defines part of itself as an enclave Untrusted part create enclave call TrustedFun Enclave enclave data only accessible to code in enclave 67g35bd954bt Process memory 49

How does it work? Part of process memory holds the enclave: low app code enclave enclave code high enclave data OS Process memory Enclave code and data are stored encrypted in main memory Processor prevents access to cached enclave data outside of enclave. 50 Creating an enclave: new instructions ECREATE: establish memory address for enclave EADD: copies memory pages into enclave

EEXTEND: computes hash of enclave contents (256 bytes at a time) EINIT: verifies that hashed content is properly signed if so, initializes enclave (signature = RSA-3072) EENTER: call a function inside enclave EEXIT: return from enclave 51 SGX Summary SGX: an architecture for managing secret data Intended to process data that cannot be read by anyone, except for code running in enclave Attestation: proves what code is running in enclave Minimal TCB: nothing trusted except for x86 processor Not suitable for legacy applications 53 SGX insecurity: side channels

enclave OS processor memory bus (enc data) DRAM memory Attacker controls the OS. OS sees lots of side-channel info: Memory access patterns All can leak State of processor caches enclave data. as enclave executes Difficult to block. State of branch predictor 57 The Spectre attack Speed vs. security in HW [slides credit: Paul Kocher]

59 Memory caches (4-way associative) Caches hold local (fast) copy of recently-accessed 64-byte chunks of memory CPU Sends address, Receives data Addr: 2A1C0700 MEMORY CACHE Data: AC 99 17 8F 44 09.. Addr: 132E1340 Data: AC 99 17 8F 44 09.. Addr Cached Data ~64B

0 F0016280 31C6F4C0 339DD740 614F8480 B5 9A C7 17 F5 DA D7 4C 80 59 A0 59 21 11

86 B8 E3 48 67 58 2C.. F2.. 18.. A7.. 1 71685100 132A4880 2A1C0700 2A1C0700 C017E9C0 27 30 9E D1

BD B2 C3 76 5D 8F DA 16 2E 27 EE 54 84 05 B7 51 29.. 9C.. D9.. 5B..

2 311956C0 002D47C0 91507E80 55194040 0A C4 60 DF 55 15 D0 66 47 4D 2C E9 82 78

DD D0 86 B5 78 11 4E.. C4.. 14.. 43.. 3 9B27F8C0 8E771100 A001FB40 317178C0 132E1340 6618E980 BA0CDB40 89E92C00 090F9C40

84 A0 7F C7 4E 3B 0B 20 0C DB 29 D9 F5 6A 72 35 82 78 AC Evict 99 CB 17 to 91 8F make 44 BC.. 58.. 50.. 8B.. room 09.. 35 B0 1C

BB F1.. 7F.. 6F.. 1F.. Fast Data: 9E C3 DA EE B7 D3.. Addr: 132E1340 Set hash(addr) to map to cache set Slow Fast 4 11

FC 50 71 4A 5A A4 ED E0 20 F8 16 2E D0 EB 07 Address: 132E1340 Data: AC 99 17 8F 44 09.. MAIN

MEMORY Big, slow e.g. 16GB SDRAM Reads change system state: Read to newly-cached location is fast Read to evicted location is slow 60 Speculative execution CPUs can guess likely program path and do speculative execution Example: if (uncached_value == 1) // load from memory a = compute(b) Branch predictor guesses if() is true (based on prior history) Starts executing compute(b) speculatively When value arrives from memory, check if guess was correct: Correct: Save speculative work performance gain Incorrect: Discard speculative work no harm (?) 61 Conditional branch (Variant 1) attack if (x < array1_size)

y = array2[ array1[x]*4096 ]; Suppose unsigned int x comes from untrusted caller Execution without speculation is safe: array2[array1[x]*4096] not eval unless x < array1_size What about with speculative execution? 63 Conditional branch (Variant 1) attack if (x < array1_size) y = array2[array1[x]*4096]; Before attack: Train branch predictor to expect if() is true (e.g. call with x < array1_size) Evict array1_size and array2[] from cache

Memory & Cache Status array1_size = 00000008 Memory at array1 base: 8 bytes of data (value doesnt matter) Memory at array1 base+1000: 09 F1 98 CC 90...(something secret) array2[ 0*4096] array2[ 1*4096] array2[ 2*4096] array2[ 3*4096] array2[ 4*4096] array2[ 5*4096] array2[ 6*4096] array2[ 7*4096] array2[ 8*4096] array2[ 9*4096] array2[10*4096] array2[11*4096] Contents dont matter only care about cache status Uncached Cached

64 Conditional branch (Variant 1) attack if (x < array1_size) y = array2[array1[x]*4096]; Attacker calls victim with x=1000 Speculative exec while waiting for array1_size: Predict that if() is true Read address (array1 base + x) (using out-of-bounds x=1000) Read returns secret byte = 09 (in cache fast ) Memory & Cache Status array1_size = 00000008 Memory at array1 base: 8 bytes of data (value doesnt matter) Memory at array1 base+1000: 09 F1 98 CC 90...(something secret) array2[ 0*4096] array2[ 1*4096] array2[ 2*4096] array2[ 3*4096] array2[ 4*4096]

array2[ 5*4096] array2[ 6*4096] array2[ 7*4096] array2[ 8*4096] array2[ 9*4096] array2[10*4096] array2[11*4096] Contents dont matter only care about cache status Uncached Cached 65 Conditional branch (Variant 1) attack if (x < array1_size) y = array2[array1[x]*4096]; Attacker calls victim with x=1000 Next: Request mem at (array2 base + 09*4096) Brings array2[09*4096] into the cache Realize if() is false: discard speculative work Finish operation & return to caller

Memory & Cache Status array1_size = 00000008 Memory at array1 base: 8 bytes of data (value doesnt matter) Memory at array1 base+1000: 09 F1 98 CC 90...(something secret) array2[ 0*4096] array2[ 1*4096] array2[ 2*4096] array2[ 3*4096] array2[ 4*4096] array2[ 5*4096] array2[ 6*4096] array2[ 7*4096] array2[ 8*4096] array2[ 9*4096] array2[10*4096] array2[11*4096] Contents dont matter only care about cache status Uncached Cached

66 Conditional branch (Variant 1) attack if (x < array1_size) y = array2[array1[x]*4096]; Attacker calls victim with x=1000 Attacker: measures read time for array2[i*4096] Read for i=09 is fast (cached), reveals secret byte !! Repeat with many x (10KB/s) Memory & Cache Status array1_size = 00000008 Memory at array1 base: 8 bytes of data (value doesnt matter) Memory at array1 base+1000: 09 F1 98 CC 90...(something secret) array2[ 0*4096] array2[ 1*4096] array2[ 2*4096] array2[ 3*4096] array2[ 4*4096]

array2[ 5*4096] array2[ 6*4096] array2[ 7*4096] array2[ 8*4096] array2[ 9*4096] array2[10*4096] array2[11*4096] Contents dont matter only care about cache status Uncached Cached 67

Recently Viewed Presentations

  • Library Catalogue How to use the Library Catalogue

    Library Catalogue How to use the Library Catalogue

    edgehill.ac.uk/ls. How to use the Library Catalogue to find print and online resources. ... To access the library catalogue login to the GO portal, then click the Library Catalogue link. The search page will look like this. Find your reading...
  • Minimizing Disputes in Construction Projects Through Effective Construction

    Minimizing Disputes in Construction Projects Through Effective Construction

    Pre-project Planning - contractual safeguards before every project. Contractual Boundaries - good fences equal good neighbors. Project Controls - maintaining transparency with construction auditing. Objectives for Knowledge Transfer. This is a live webinar and interactive broadcast. Here's what we'll be...
  • Department of the Interior and Local Government Philippines

    Department of the Interior and Local Government Philippines

    Review of planning experience and surfacing of lessons (August) Provision of guidelines for the review and update process (November) HRMD. Orientation on SCALOG (January to March) Conduct of skills inventory (January to March) Responsive HRMD Orientation for all HRM units...
  • BDOL Interactive Chalkboard

    BDOL Interactive Chalkboard

    The chisel-like incisors of beavers are modified for gnawing. Most mammals have specialized teeth. Section 32.1 Summary - pages 841 - 847. A lion's canines puncture and tear the flesh of its prey. Most mammals have specialized teeth.
  • VT PowerPoint Template2

    VT PowerPoint Template2

    Exam results and OpenDSA interaction logs. Population: DSA students (55 and 57 students in the control and treatment groups, respectively). ... Median time required for Khan Academy-style mini-proficiency exercises. Time Required for Proficiency.
  • Snímek 1 - eucitel.cz

    Snímek 1 - eucitel.cz

    VZÁJEMNÉ PŮSOBENÍ TĚLES Podmínky používání prezentace Stažení, instalace na jednom počítači a použití pro soukromou potřebu jednoho uživatele je zdarma.
  • I. Code of Ethics for Engineers

    I. Code of Ethics for Engineers

    Times New Roman Tahoma Wingdings Arial Blends Robots … in the image of Man in the image of Man Robot - the word Metropolis, 1926 Metropolis, 1926 C3P0 versus Arnold BattleBots, 2000 Robot - a definition The first real robot,...
  • 4.2: Angle Relationships in Triangles

    4.2: Angle Relationships in Triangles

    4.2: Angle Relationships in Triangles. A line drawn connected to a shape to help write a proof. In this case I have extended a side of a triangle to create an exterior angle.